## 20160505 AK

----
 [[ConvertingPgpKeyToCertificate/CZ|Ĩesky]] | '''english'''
----

== Creating a new X.509 certificate from your PGP key pair ==

This page complements http://wiki.cacert.org/ConvertingCertificateToPgp by describing the other way round.

The following tools are needed: [[http://gnupg.org/download/index.en.html|GnuPG]], [[http://manpages.ubuntu.com/manpages/natty/man1/openpgp2ssh.1.html|openpgp2ssh]] from the [[http://web.monkeysphere.info/|monkeysphere]] project and [[http://openssl.org/|openssl]].

/!\ The steps described were performed on a virtual machine running Ubuntu.

----

 1. You already created a PGP key pair of RSA keys. Its secret key looks like this
 {{{sec   2048R/059B4809 2011-10-29 [valid to: 2013-12-31]}}}<<BR>><<BR>>The PGP key ID is $KEYID (in this example 059B4809).

----

 2.#2 openpgp2ssh works only if the secret key is not password-protected. So it might be necessary to remove the protection. The corresponding gpg command is: 
 {{{gpg --edit-key $KEYID}}} .<<BR>><<BR>>Then use the the {{{passwd}}} sub-command to remove the password.

----

 3.#3 Now it's time to export the PGP key and hand it over to openpgp2ssh: 
 {{{gpg --export-secret-key $KEYID | openpgp2ssh $KEYID > id_rsa}}}<<BR>><<BR>>id_rsa's content should look like:
 {{{
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
-----END RSA PRIVATE KEY-----
 }}}

----

 4.#4 Next a Certificate Signing Request (CSR) can be generated:
 {{{openssl req -new -key id_rsa -out id_rsa.csr}}}<<BR>><<BR>>id_rsa.csr's content should look like:
 {{{
-----BEGIN CERTIFICATE REQUEST-----
MIIC9jCCAd4CAQAwgZkxCzAJBgNVBAYTAkRFMRMwEQYDVQQIEwpTb21lLVN0YXRl[...]
-----END CERTIFICATE REQUEST-----
 }}}

----

 5.#5 Now you have a CSR. Login to the CAcert webpage -> "Client Certificates" -> "New" -> Choose the registered email address, mark "Show advanced options", copy the content from {{{id_rsa.csr}}} to the input field headed "Optional Client CSR, no information on the certificate will be used", push "Next".

----

 6.#6 CAcert should notify you that the certificate can be retrieved.

----

 7.#7 Copy the content from the certificate and from the file {{{id_rsa}}} into one file {{{email@address.pem}}}.
 Its content should look like:
 {{{
-----BEGIN CERTIFICATE-----
MIIFRjCCAy6gAwIBAgIDCuP8MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
-----END RSA PRIVATE KEY-----
 }}}

----

 8.#8 Finally create a PKCS#12 container:
 {{{openssl pkcs12 -export -in email@address.pem -out email@address.pem.p12}}}

----

You may now import your key pair to your email client.

----
 . CategoryStepByStep